Rapid7 Blog

Weekly Update: Minecraft RAT Attacks, PHP Shell Games, and MongoDB

POST STATS:

SHARE

Minecraft-Vectored Malware

Metasploit exploit developer Juan @_juan_vazquez_, while trawling the Internet for the next hot exploit, came across this pastie describing a Java exploit which takes advantage of a vulnerability in Java's Color Management classes. Turns out, this is also one of the vulns being exploited in McRat, a Trojan targeting Windows-based Minecraft players (that's what the "Mc" stands for).

McRat is compelling to potential victims because of its specificity and large potential victim pool. By targeting Minecraft players, attackers are specifically avoiding the browser vector, for starters. They're also playing on people's tendency to install non-work related software on work machines, so your victims, by default, are not going to get a lot of love from their IT departments. On top of this, they're more likely to ignore the blanket advice to "disable Java," because they may not be aware that disabling Java in the browser won't, in fact, impact their stand-alone Minecraft experience.

There's since been a patch for this vulnerability -- it looks like Oracle is moving ever faster to knock out patches for these things. They also appear to have abandoned their quarterly patch cycle for all practical purposes when it comes to actively exploited security issues. If you haven't updated yet to Java 7u17 (or 6u43), now's a good time. If you believe you've patched, you can use the new module, Java CMM Remote Code Execution, to make sure.

PHP Shell Games

Speaking of malicious attacker software, this week also sees a quartet of new modules from community contributor bwall. We are now shipping modules targeting Ra1NX, STUNSHELL (two for that one), and v0pCr3w's shell.

These kinds of hack-the-hacker modules can be particularly useful on a penetration testing engagement. Not only are you able to identify machines that were compromised before you got there, but you can turn around and use the existing compromises to extend your own control over the affected assets. As egypt likes to say in his Metasploit training classes, "there is no cheating in hacking." Of course, you will want to alert your client pretty much right away and advise them on their current compromised situation.

MongoDB

I have it on good authority that internationally renowned superhacker and MongoDB user HD Moore was (quote) "just looking at that code," and was bummed that he didn't spot the vulnerability before agix. So it goes with bug-hunting, you can't win 'em all, and there are plenty of smart, dedicated exploit developers in the world who have just as good a shot at uncovering exploits that other smart, dedicated exploit devs might miss the first time around. In this case, it was community contributor agix who discovered the vulnerability in MongoDB and proved it out with a Metasploit module. 10gen, the primary maintainers of MongoDB, turned out a patch nearly immediately, so if you're a MongoDB user, you'll want to pick that up pronto.

New Modules

Wow, this post ended up being all about exploit content. Here are the rest of the modules -- 10 new ones, including those detailed above. In fact, the only non-exploit we have this week is a post-exploitation module for sneaking UNC paths into Word documents, courtesy of community contributor Sphaz. Thanks everyone!

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Want more? Don’t miss these posts

Compliance programs are heavily based on documentation and PCI does not make an exception. Technical and non-technical documents are a major part of the PCI journey and certainly of the compliance audit. Documents (technical description, diagram, policies, procedures, standards, audit trails, scan reports, pen test…

Normally we don't get a lot of contributions regarding embedded devices. Even when they are an interesting target from the pentesting point of view, and is usual to find them out of DMZ zones on corporate networks. Maybe it's because access to these devices or…

Featured Research

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Toolkit

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Featured Research

Rapid7’s Quarterly Threat Report leverages intelligence from our extensive network—including the Insight platform, managed detection and response engagements, Project Sonar, Heisenberg Cloud, and the Metasploit community—to put today’s shifting threat landscape into perspective. It gives you a clear picture of the threats that you face within your unique industry, and how those threats change throughout the year.